Chinese APTs Share Linux Backdoor in Telco Attacks - Dark Reading

Threat IntelligenceCyberattacks & Data BreachesCyber RiskEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificChinese APTs Share Linux Backdoor in Central Asia Telco Attacks"Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers.Nate Nelson,Contributing WriterMay 21, 20264 Min ReadSource: Mark Summerfield via Alamy Stock PhotoFor years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.The malware is called "Showboat," or "kworker." Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around.At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). First observed in 2019, Calypso is one of China's lesser-discussed espionage groups, perhaps because its activity occurs in countries where Western cybersecurity companies have less visibility on average: Afghanistan, Kazakhstan, Turkey, and India, for example. Calypso uses Showboat alongside a Windows backdoor of roughly similar sophistication, called "JFMBackdoor."Related:China Uses Dual-Method Cyberattack on Czech OrgsThe Showboat Exploitation FrameworkShowboat is a useful but unexceptional spy tool, which makes it all the more surprising that Chinese threat groups have used it in total secrecy, gathering what might amount to serious geopolitical intelligence for four years running.Its most significant trick, arguably, is its ability to scan for and then infect devices on a local area network (LAN) that aren't otherwise connected to the public Internet. "So if you do happen to find this in your network, there's probably a whole lot of other bad stuff in the network, and you're about to have a very long weekend," says Danny Adamitis, principal information security engineer at Black Lotus Labs.Though perfectly capable, Showboat hardly goes toe-to-toe with China's top-of-the-line telco malware. BPFdoor, for example, is an expert in living-off-the-land, almost imperceptibly concealing its command-and-control (C2) traffic in HTTPS requests and Internet Control Message Protocol (ICMP) pings. In Adamitis' assessment, Showboat "is not the best backdoor I've ever seen. To me this feels like almost a newer version of a ShadowPad where it's just [notable for] kind of cool capabilities."Yet Showboat's banality could be as much a design feature as a flaw. After all, why invest in a highly complex, bespoke tool when something simple and easy gets the job done? Evidence suggests that the malware has been around since at least mid-2022, but by the time the researchers got to it this year, it registered a grand total of zero detections on VirusTotal (VT): as little as any ultra-stealthy, bespoke, native spy multitool that even the best Typhoon has access to.Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets"You don't necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP," Adamitis says. "It appears as though they're still having a moderate degree of success with something that, in my mind, is a little bit more run of the mill."Where Showboat isn't the right tool, the threat actors that use it can dip into a pool of malware shared broadly among Chinese threat actors. "Red Lamassu (a.k.a. Calypso) has historically used PlugX, a malware family widely shared and reused across multiple China-based threat actors," notes PwC threat intelligence analyst Daniel van Apeldoorn. These days, he adds, "it can tailor its toolset, deploying a Linux backdoor in Linux-heavy environments (such as telecommunications infrastructure, which often runs on Unix-based systems) and a Windows backdoor when targeting corporate or enterprise environments where Windows is dominant."China's Malware ExperimentsBlack Lotus Labs researcher Ryan English expands on Adamitis' point. "What China likes to do is they'll designate certain parts of the world as kind of a laboratory. They'll test [malware] against perfectly updated virtual systems, then they'll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they're feeling more confident to bring it out to more serious targets."Related:Africa Relinquishes Cyberattack Lead to Latin America — For NowAt least some of the data seems to support the interpretation that Showboat was conceived of as a small market solution.Black Lotus Labs tracked multiple, apparently separate Chinese threat clusters passing it around, without committing to it for long, high-value campaigns against any targets of supreme value. For example, one threat cluster seemed to use Showboat rather randomly, connecting at different times to IP addresses in the US and in the Donbas region. Another deployed it against organizations in countries with less mature cybersecurity on average: an ISP from Afghanistan, and other unnamed victims in Azerbaijan and the Middle East. Meanwhile, the Calypso activity tracked by PwC targeted a telecommunications provider in Afghanistan.English speculates that Showboat might have found success in these smaller markets. "Somebody said: Perfect is the enemy of good enough. And they let it run. I think that they were probably being economical with that."Read more about:DR Global Asia PacificAbout the AuthorNate NelsonContributing WriterNate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsThreat Hunting That Gets Big Results Despite Small BudgetsSay Yes to AI: Securing Innovation Without CompromiseZero Trust Identity: Beyond Traditional AuthenticationAdvanced Persistent Threats: A Practical Guide to Detection and ResponseThe Frontier AI Era: Why Cybersecurity Must Move at Machine SpeedMore WebinarsEditor's ChoiceApplication SecurityFIFA Bug Exposes World Cup Streams to Remote TakeoverFIFA Bug Exposes World Cup Streams to Remote TakeoverbyNate NelsonJun 18, 20264 Min ReadCybersecurity OperationsEU Gets a Head Start in Developing 6G Network SecurityEU Gets a Head Start in Developing 6G Network SecuritybyNate NelsonJun 18, 20264 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeAug 1-6 | Mandalay Bay, Las Vegas Use code: DARKREADING & save $200 on a Briefings pass or $100 on a Business passThe premier cybersecurity event returns.GET YOUR PASS